Re: [PATCH v2 0/5] Automatic TPM Disk Unlock

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 0/5] Automatic TPM Disk Unlock

From:	Gary Lin
Subject:	Re: [PATCH v2 0/5] Automatic TPM Disk Unlock
Date:	Mon, 6 Feb 2023 13:53:43 +0800

On Tue, Feb 01, 2022 at 05:02:52AM -0800, Hernan Gatta wrote:
> Updates since v1:
> 
Hi,

Is there any further progress with this patchset?
I have prototype patchset to support authorized policy and it heavily
rely on the TPM2 stack implemented by this patchset. Would love to see
this patchset in upstream and contribute my patches.

Thanks,

Gary Lin

> 1. One key can unlock multiple disks:
>    It is now possible to use key protectors with cryptomount's -a and -b
>    options.
> 
> 2. No passphrase prompt on error if key protector(s) specified:
>    cryptomount no longer prompts for a passphrase if key protectors are
>    specified but fail to provide a working unlock key seeing as the user
>    explicitly requested unlocking via key protectors.
> 
> 3. Key protector parameterization is separate:
>    Previously, one would parameterize a key protector via a colon-separated
>    argument list nested within a cryptomount argument. Now, key protectors are
>    expected to provide an initialization function, if necessary.
> 
>    As such, instead of:
> 
>    cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...
> 
>    one now writes:
> 
>    tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
>    cryptomount -k tpm2
> 
>    Additionally, one may write:
> 
>    cryptomount -k protector_1 -k protector_2 ...
> 
>    where cryptomount will try each in order on failure.
> 
> 4. Standard argument parsing:
>    The TPM2 key protector now uses 'struct grub_arg_option' and the 
> grub-protect
>    tool uses 'struct argp_option'. Additionally, common argument parsing
>    functionality is now shared between the module and the tool.
> 
> 5. More useful messages:
>    Both the TPM2 module and the grub-protect tool now provide more useful
>    messages to help the user learn how to use their functionality (--help and
>    --usage) as well as to determine what is wrong, if anything. Furthermore, 
> the
>    module now prints additional debug output to help diagnose problems.
> 
> I forgot to mention last time that this patch series intends to address:
> https://bugzilla.redhat.com/show_bug.cgi?id=1854177
> 
> Previous series:
> https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html
> 
> Thank you,
> Hernan
> 
> Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
> 
> Hernan Gatta (5):
>   protectors: Add key protectors framework
>   tpm2: Add TPM Software Stack (TSS)
>   protectors: Add TPM2 Key Protector
>   cryptodisk: Support key protectors
>   util/grub-protect: Add new tool
> 
>  .gitignore                             |    1 +
>  Makefile.util.def                      |   19 +
>  configure.ac                           |    1 +
>  grub-core/Makefile.am                  |    1 +
>  grub-core/Makefile.core.def            |   11 +
>  grub-core/disk/cryptodisk.c            |  166 +++-
>  grub-core/kern/protectors.c            |   75 ++
>  grub-core/tpm2/args.c                  |  129 ++++
>  grub-core/tpm2/buffer.c                |  145 ++++
>  grub-core/tpm2/module.c                |  710 +++++++++++++++++
>  grub-core/tpm2/mu.c                    |  807 ++++++++++++++++++++
>  grub-core/tpm2/tcg2.c                  |  143 ++++
>  grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
>  include/grub/cryptodisk.h              |   14 +
>  include/grub/protector.h               |   48 ++
>  include/grub/tpm2/buffer.h             |   65 ++
>  include/grub/tpm2/internal/args.h      |   39 +
>  include/grub/tpm2/internal/functions.h |  117 +++
>  include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
>  include/grub/tpm2/internal/types.h     |  372 +++++++++
>  include/grub/tpm2/mu.h                 |  292 +++++++
>  include/grub/tpm2/tcg2.h               |   34 +
>  include/grub/tpm2/tpm2.h               |   38 +
>  util/grub-protect.c                    | 1314 
> ++++++++++++++++++++++++++++++++
>  24 files changed, 5897 insertions(+), 30 deletions(-)
>  create mode 100644 grub-core/kern/protectors.c
>  create mode 100644 grub-core/tpm2/args.c
>  create mode 100644 grub-core/tpm2/buffer.c
>  create mode 100644 grub-core/tpm2/module.c
>  create mode 100644 grub-core/tpm2/mu.c
>  create mode 100644 grub-core/tpm2/tcg2.c
>  create mode 100644 grub-core/tpm2/tpm2.c
>  create mode 100644 include/grub/protector.h
>  create mode 100644 include/grub/tpm2/buffer.h
>  create mode 100644 include/grub/tpm2/internal/args.h
>  create mode 100644 include/grub/tpm2/internal/functions.h
>  create mode 100644 include/grub/tpm2/internal/structs.h
>  create mode 100644 include/grub/tpm2/internal/types.h
>  create mode 100644 include/grub/tpm2/mu.h
>  create mode 100644 include/grub/tpm2/tcg2.h
>  create mode 100644 include/grub/tpm2/tpm2.h
>  create mode 100644 util/grub-protect.c
> 
> -- 
> 1.8.3.1
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v2 0/5] Automatic TPM Disk Unlock, Gary Lin <=

Prev by Date: Re: [PATCH] tests: Add pathological iso9660 filesystem tests
Next by Date: Re: [PATCH v3 5/6] Add memtool module with memory allocation stress-test
Previous by thread: [PATCH] luks2: Add support for LUKS2 in (proc)/luks_script
Next by thread: [PATCH v4 0/6] Dynamic allocation of memory regions and IBM vTPM 2.0
Index(es):
- Date
- Thread